Thu, Apr 30, 2009

Alternatives to Adobe Acrobat Reader
Adobe Acrobat Reader is not the only software available to view PDFs. When a flaw is reported in Acrobat Reader, it may be possible to protect oneself against it by using another software package to view PDFs. Alternatives to Acrobat Reader for Windows systems include Foxit, Cabaret Stage, Xpdf, PDF-XChange Viewer, and GSview. A list of PDF software is maintained at Wikipedia.

/advice permanent link

Defending against SSH password guessing attacks
If you run an SSH server on your computer so that you can log into it from outside, please make sure that all your accounts, particularly system ones like "root", have strong, hard-to-guess passwords, not short passwords or passwords based on dictionary words or names. Increasingly, many compromised machines on the internet are being used to try to connect to any SSH service they can find, using guessed logins and passwords. If you have SSH running on your machine, make sure all your passwords are hard to guess.

/advice permanent link

Autorun/Autoplay
Autorun/Autoplay is a feature of Microsoft Windows that allows software on removable media (such as flash drives or memory cards) to run automatically. Some worms/viruses, such as Conficker, use Autorun/Autoplay to propagate from one machine to another. It is safest to disable Autorun/Autoplay entirely on Windows computers. To disable Autorun/Autoplay, follow the instructions at http://www.us-cert.gov/cas/techalerts/TA09-020A.html. Microsoft has admitted that their original instructions do not fully disable Autorun/Autoplay, and have provided updates at http://support.microsoft.com/kb/953252. The loss of the autorun/autoplay feature will mean that software will no longer run automatically when you insert digital media. Most often, this means that software will not automatically install when you insert the installation CD or DVD, and you will have to click the drive icon of the removable device and then double-click on the installer icon (usually called "setup"). However, music and video CDs and DVDs will continue to play automatically.

/advice permanent link

Be Aware of "Phishing" Emails
There has been a rash of "spear phishing" attacks on campus. These are emails targetted at specific people or groups that attempt to convince them to execute a malicious attachment, click on a malicious link, or divulge personal information (e.g. by emailing one's login and password to a particular address). These "spear phishing" emails are crafted to appear to come from trusted university sources, such as the campus help desk.

Please be aware that no university help desk or tech support group will send you an unsolicited message asking you to email a password or execute an attached program. If you get such a request, it is likely a forgery. For more information on the recent attacks, see http://www.news.utoronto.ca/campus-news/u-of-t-computer-staff-warn-of-phishing-scams.html

/advice permanent link

Malicious Email and Web Files Exploiting Microsoft Products
Since before the end of 2006, there have been a number of unpatched vulnerabilities in Microsoft products, some of them quite serious, that remain expoitable by email and/or the web. Many of these vulnerabilities are being actively exploited. A summary of these vulnerabilities is maintained by SANS Internet Storm Center (isc.sans.org) at http://isc.sans.org/diary.html?storyid=1940

Some general recommendations for protecting oneself from malicious emails and web pages are as follows. Distrust Microsoft Office (Word, Excel, Powerpoint) email attachments that have not been solicited, even from people one knows (senders are easily forged). Read email in plain text wherever possible. Examine URLs in email messages for plausibility, and cut and paste them into one's web browser rather than merely clicking on them. If at all possible, avoid using Microsoft Outlook or Outlook Express for email, and Microsoft Internet Explorer as one's default web browser: use Internet Explorer only for trusted web pages that require it. Never browse the web or read email as an administrator; create and use a "limited user" for this so that any malicious command that may be executed will not have full access to the machine.

Unfortunately, following these recommendations will not provide complete protection. Only Microsoft can fix the flaws that are being exploited, and until they do, all users of the relevant products remain vulnerable. However, these may help reduce the risk.

/advice permanent link

To be emailed any new alerts as they appear, or to cease being emailed such alerts, send email to securityalerts-request@cs.